| V-213427 | | Microsoft Defender AV must be configured to automatically take action on all detected tasks. | This policy setting allows Microsoft Defender configuration to automatically take action on all detected threats. The action to be taken on a particul... |
| V-213429 | | Microsoft Defender AV must be configured to not exclude files for scanning. | This policy setting allows disabling of scheduled and real-time scanning for files under the paths specified or for the fully qualified resources spec... |
| V-213430 | | Microsoft Defender AV must be configured to not exclude files opened by specified processes. | This policy setting allows the disabling of scheduled and real-time scanning for any file opened by any of the specified processes. The process itself... |
| V-213431 | | Microsoft Defender AV must be configured to enable the Automatic Exclusions feature. | This setting allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off.... |
| V-213432 | | Microsoft Defender AV must be configured to disable local setting override for reporting to Microsoft MAPS. | This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy. If this se... |
| V-213433 | | Microsoft Defender AV must be configured to check in real time with MAPS before content is run or accessed. | This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or a... |
| V-213434 | | Microsoft Defender AV must join Microsoft MAPS. | This policy setting allows joining Microsoft MAPS. Microsoft MAPS is the online community that helps in choosing how to respond to potential threats. ... |
| V-213435 | | Microsoft Defender AV must be configured to only send safe samples for MAPS telemetry. | This policy setting configures behavior of samples submission when opt-in for MAPS telemetry is set. Possible options are:
(0x0) Always prompt
(0x1)... |
| V-213436 | | Microsoft Defender AV must be configured for protocol recognition for network protection. | This policy setting allows the configuration of protocol recognition for network protection against exploits of known vulnerabilities. If this setting... |
| V-213437 | | Microsoft Defender AV must be configured to not allow local override of monitoring for file and program activity. | This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can o... |
| V-213438 | | Microsoft Defender AV must be configured to not allow override of monitoring for incoming and outgoing file activity. | This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be ... |
| V-213439 | | Microsoft Defender AV must be configured to not allow override of scanning for downloaded files and attachments. | This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be s... |
| V-213440 | | Microsoft Defender AV must be configured to not allow override of behavior monitoring. | This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If this se... |
| V-213441 | | Microsoft Defender AV Group Policy settings must take priority over the local preference settings. | This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. I... |
| V-213442 | | Microsoft Defender AV must monitor for incoming and outgoing files. | This policy setting allows the configuration of monitoring for incoming and outgoing files without having to turn off monitoring entirely. It is recom... |
| V-213443 | | Microsoft Defender AV must be configured to monitor for file and program activity. | This policy setting allows configuration of monitoring for file and program activity. If this setting is enabled or not configured, monitoring for fil... |
| V-213444 | | Microsoft Defender AV must be configured to scan all downloaded files and attachments. | This policy setting allows configuration of scanning for all downloaded files and attachments. If this setting is enabled or not configured, scanning ... |
| V-213445 | | Microsoft Defender AV must be configured to always enable real-time protection. | This policy setting turns off real-time protection prompts for known malware detection. Microsoft Defender Antivirus alerts when malware or potentiall... |
| V-213446 | | Microsoft Defender AV must be configured to enable behavior monitoring. | This policy setting allows configuration of behavior monitoring. If this setting is enabled or not configured, behavior monitoring will be enabled. If... |
| V-213447 | | Microsoft Defender AV must be configured to process scanning when real-time protection is enabled. | This policy setting allows the configuration of process scanning when real-time protection is turned on. This helps to catch malware, which could star... |
| V-213448 | | Microsoft Defender AV must be configured to scan archive files. | This policy setting allows the configuration of scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. If thi... |
| V-213449 | | Microsoft Defender AV must be configured to scan removable drives. | This policy setting allows the management of whether or not to scan for malicious software and unwanted software in the contents of removable drives s... |
| V-213450 | | Microsoft Defender AV must be configured to perform a weekly scheduled scan. | This policy setting allows specifying the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to... |
| V-213451 | | Microsoft Defender AV must be configured to turn on e-mail scanning. | This policy setting allows the configuration of e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files acc... |
| V-213454 | | Microsoft Defender AV must be configured to check for definition updates daily. | This policy setting allows specifying the day of the week on which to check for definition updates. The check can also be configured to run every day ... |
| V-213455 | | Microsoft Defender AV must be configured for automatic remediation action to be taken for threat alert level Severe. | This policy setting allows the customization of which automatic remediation action will be taken for each threat alert level. Threat alert levels shou... |
| V-213456 | | Microsoft Defender AV must be configured to block executable content from email client and webmail. | This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or O... |
| V-213457 | | Microsoft Defender AV must be configured block Office applications from creating child processes. | Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based atta... |
| V-213458 | | Microsoft Defender AV must be configured block Office applications from creating executable content. | This rule targets typical behaviors used by suspicious and malicious add-ons and scripts (extensions) that create or launch executable files. This is ... |
| V-213459 | | Microsoft Defender AV must be configured to block Office applications from injecting into other processes. | Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malici... |
| V-213460 | | Microsoft Defender AV must be configured to impede JavaScript and VBScript to launch executables. | JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch a... |
| V-213461 | | Microsoft Defender AV must be configured to block execution of potentially obfuscated scripts. | Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obf... |
| V-213462 | | Microsoft Defender AV must be configured to block Win32 imports from macro code in Office. | This rule blocks potentially malicious behavior by not allowing macro code to execute routines in the Win 32 dynamic link library (DLL).... |
| V-213463 | | Microsoft Defender AV must be configured to prevent user and apps from accessing dangerous websites. | Enable Microsoft Defender Exploit Guard network protection to prevent employees from using any application to access dangerous domains that may host p... |
| V-213464 | | Microsoft Defender AV must be configured for automatic remediation action to be taken for threat alert level High. | This policy setting allows the customization of which automatic remediation action will be taken for each threat alert level. Threat alert levels shou... |
| V-213465 | | Microsoft Defender AV must be configured for automatic remediation action to be taken for threat alert level Medium. | This policy setting allows the customization of which automatic remediation action will be taken for each threat alert level. Threat alert levels shou... |
| V-213466 | | Microsoft Defender AV must be configured for automatic remediation action to be taken for threat alert level Low. | This policy setting allows the customization of which automatic remediation action will be taken for each threat alert level. Threat alert levels shou... |
| V-278647 | | Microsoft Defender AV must block Adobe Reader from creating child processes. | This policy setting prevents Adobe Reader from launching other processes, which can help mitigate security risks associated with malicious PDF files.... |
| V-278648 | | Microsoft Defender AV must block credential stealing from the Windows local security authority subsystem. | This policy setting helps prevent credential stealing by locking down Local Security Authority Subsystem Service (LSASS).... |
| V-278649 | | Microsoft Defender AV must block untrusted and unsigned processes that run from USB. | This policy setting helps prevents unsigned or untrusted executable files from running from USB removable drives, including SD cards. Blocked file typ... |
| V-278650 | | Microsoft Defender AV must use advanced protection against ransomware. | This policy setting provides an extra layer of protection against ransomware. It uses both client and cloud heuristics to determine whether a file res... |
| V-278651 | | Microsoft Defender AV must audit process creations originating from PSExec and WMI commands. | This policy setting blocks processes created through PsExec and WMI from running. Both PsExec and WMI can remotely execute code. There is a risk of ma... |
| V-278652 | | Microsoft Defender AV must audit persistence through WMI event subscription. | This policy setting prevents malware from abusing WMI to attain persistence on a device.
Fileless threats employ various tactics to stay hidden, to a... |
| V-278653 | | Microsoft Defender AV must audit executable files from running unless they meet a prevalence, age, or trusted list criterion. | This policy setting blocks executable files, such as .exe, .dll, or .scr, from launching. Thus, launching untrusted or unknown executable files can be... |
| V-278654 | | Microsoft Defender AV must block Office communication application from creating child processes. | This policy setting prevents Outlook from creating child processes while still allowing legitimate Outlook functions. This rule protects against socia... |
| V-278655 | | Microsoft Defender AV must block abuse of exploited vulnerable signed drivers. | This policy setting prevents an application from writing a vulnerable signed driver to disk. Vulnerable signed drivers can be exploited by local appli... |
| V-278656 | | Microsoft Defender AV must configure local administrator merge behavior for lists. | This policy setting configures how locally defined lists are combined or merged with globally defined lists. This setting applies to exclusion lists, ... |
| V-278658 | | Microsoft Defender AV must control whether exclusions are visible to Local Admins. | Disabled (Default): If this setting is not configured or disabled, local admins can see exclusions in the Windows Security App or via PowerShell.
Ena... |
| V-278659 | | Microsoft Defender AV must randomize scheduled task times. | In Microsoft Defender Antivirus, randomize the start time of the scan to any interval from 0 to 23 hours. By default, scheduled tasks begin at a rando... |
| V-278660 | | Microsoft Defender AV must hide the Family options area. | The Family options section contains links to settings and further information for parents of a Windows PC. It is not intended for enterprise or busine... |
| V-278661 | | Microsoft Defender AV must enable the file hash computation feature. | This policy drives the ability to enforce Indicators of Compromise (IoC) by using file hash allow/block indicators.... |
| V-278662 | | Microsoft Defender AV must enable extended cloud check. | When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the Microsoft Defender Antivirus clou... |
| V-278668 | | Microsoft Defender AV must enable script scanning. | Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious... |
| V-278669 | | Microsoft Defender AV must enable real-time protection and Security Intelligence Updates during OOBE. | Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious... |
| V-278672 | | Microsoft Defender AV must enable network protection to be configured into block or audit mode on Windows Server. | Microsoft's Exploit Guard comprises several techniques to defend against phishing attacks and malware. These include controlled folder access, attack ... |
| V-278674 | | Microsoft Defender AV must enable EDR in block mode. | EDR in block mode allows Microsoft Defender Antivirus to take actions on post-breach, behavioral EDR detections. EDR in block mode is integrated with ... |
| V-278675 | | Microsoft Defender AV must report Dynamic Signature dropped events. | Microsoft Defender Antivirus logs "Dynamic Signature dropped" events when it blocks or removes a file based on a dynamically updated signature, but th... |
| V-278676 | | Microsoft Defender AV must scan excluded files and directories during quick scans. | In Microsoft Defender Antivirus, when an exclusion for a file or folder is created, it will generally be skipped during both real-time protection and ... |
| V-278677 | | Microsoft Defender AV must convert warn verdict to block. | If a site URL has an unknown or uncertain reputation, a toast notification presents the user with the following options:
- Ok: The toast notification... |
| V-278678 | | Microsoft Defender AV must enable asynchronous inspection. | Network protection includes performance optimization that allows block mode to asynchronously inspect long-lived connections, which might provide a pe... |
| V-278679 | | Microsoft Defender AV must scan packed executables. | This policy setting manages whether Microsoft Defender Antivirus scans packed executables. Packed executables are executable files that contain compre... |
| V-278680 | | Microsoft Defender AV must enable heuristics. | Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious... |
| V-278863 | | Microsoft Defender AV must set cloud protection level to High. | Cloud protection in Microsoft Defender Antivirus delivers accurate, real-time, and intelligent protection. Cloud protection should be enabled by defau... |
| V-213426 | | Microsoft Defender AV must be configured to block the Potentially Unwanted Application (PUA) feature. | After enabling this feature, PUA protection blocking takes effect on endpoint clients after the next signature update or computer restart. Signature u... |
| V-213428 | | Microsoft Defender AV must be configured to run and scan for malware and other potentially unwanted software. | This policy setting turns off Microsoft Defender Antivirus. If this policy setting is enabled, Microsoft Defender Antivirus does not run and computers... |
| V-213452 | | Microsoft Defender AV spyware definition age must not exceed 7 days. | This policy setting allows defining the number of days that must pass before spyware definitions are considered out of date. If definitions are determ... |
| V-213453 | | Microsoft Defender AV virus definition age must not exceed 7 days. | This policy setting allows defining the number of days that must pass before virus definitions are considered out of date. If definitions are determin... |
